b'                                           AAAAAAAAAAAAAAAAA\n\n\n\n\n              U.S. Department of Energy\n              Office of Inspector General\n              Office of Inspections and Special Inquiries\n\n\n\n\nInspection Report\n\nInternal Controls Over Computer\nProperty at the Department\xe2\x80\x99s\nCounterintelligence Directorate\n\n\n\n\nDOE/IG-0762                                  March 2007\n\x0c\x0c\x0cINTERNAL CONTROLS OVER COMPUTER PROPERTY AT\nTHE DEPARTMENT\xe2\x80\x99S COUNTERINTELLIGENCE\nDIRECTORATE\n\n\n\n\nTABLE OF\nCONTENTS\n\n\n              OVERVIEW\n\n              Introduction and Objective            1\n\n              Observations and Conclusions          2\n\n\n              DETAILS OF FINDINGS\n\n              Property Not Located                  3\n\n              Property Not in Inventory             4\n\n              Expired Loan Documentation            5\n\n              Computers Not Properly Labeled        5\n\n\n              RECOMMENDATIONS                       5\n\n\n              MANAGEMENT COMMENTS                   6\n\n\n              INSPECTOR COMMENTS                    6\n\n\n              APPENDICES\n\n              A. Scope and Methodology              7\n\n              B. Prior Sensitive Property Reports   8\n\n              C. Management Comments                9\n\x0cOverview\n\nINTRODUCTION    The Office of Intelligence and Counterintelligence conducts\nAND OBJECTIVE   technical analyses of foreign intelligence for the Department of\n                Energy (DOE), including the National Nuclear Security\n                Administration, and the United States Intelligence Community.\n                The Counterintelligence Directorate (CN), which is part of the\n                Office of Intelligence and Counterintelligence, is responsible for\n                protecting DOE information against espionage or other intelligence\n                activities by foreign entities. In support of this mission, CN\n                procures and maintains computer processing equipment such as\n                desktop computers, laptop computers, and computer servers. DOE\n                considers computer property to be \xe2\x80\x9csensitive property,\xe2\x80\x9d which is\n                required to have specific controls in place. The objective of this\n                inspection was to determine the adequacy of internal controls over\n                computer property maintained by the CN Headquarters program\n                office.\n\n                The Office of Inspector General (OIG) has issued several reports\n                relating to accountability and internal controls over sensitive\n                property. These reports are listed in Appendix B. In March 2006,\n                we issued a report entitled \xe2\x80\x9cInternal Controls Over Sensitive\n                Property in the Office of Intelligence,\xe2\x80\x9d DOE/IG-0722. Officials\n                with the Office of Intelligence informed us that they had improved\n                their property accountability system subsequent to our review. At\n                the time of that review, the Office of Intelligence was separate\n                from what was then called the Office of Counterintelligence. In\n                March 2006, the two offices were consolidated into the Office of\n                Intelligence and Counterintelligence. We have been informed that\n                CN\xe2\x80\x99s sensitive property will be consolidated into the Office of\n                Intelligence and Counterintelligence\xe2\x80\x99s property accountability\n                system in the near future.\n\n\n\n\nPage 1                       Internal Controls Over Computer Property at the\n                                 Department\xe2\x80\x99s Counterintelligence Directorate\n\x0cOBSERVATIONS AND   Internal controls over classified and unclassified computer\nCONCLUSIONS        property at CN were inadequate. Specifically, CN could not\n                   locate 20 desktop computers listed on its property inventory that\n                   either processed or may have processed classified information. We\n                   identified control weaknesses that further undermined confidence\n                   in CN\xe2\x80\x99s ability to assure that its computers and the information\n                   they contain were appropriately controlled; were adequately\n                   safeguarded from loss and theft; and, were controlled in\n                   accordance with existing security requirements.\n\n                   We further noted that:\n\n                      \xe2\x80\xa2   Fifty-seven computers were not included on CN\xe2\x80\x99s property\n                          inventory, as required by DOE\xe2\x80\x99s Property Management\n                          Standards;\n\n                      \xe2\x80\xa2   CN had expired loan agreements for 96 Headquarters\n                          computers that were located at CN field sites; and,\n\n                      \xe2\x80\xa2   Labels indicating the classification level of individual\n                          computers were not affixed to 74 CN computers, as\n                          required.\n\n                   Concerns about the complex-wide system of computer controls and\n                   accountability have plagued the Department for a number of years.\n                   As we found in several recent OIG reviews, strict property\n                   procedures need to be consistently applied to classified and\n                   unclassified computers and a robust program of review and\n                   evaluation needs to be in place to assure that all computer\n                   resources are accounted for and controlled. It was apparent that\n                   CN did not have procedures in place to achieve this objective.\n                   Considering the sensitivity of the data regularly processed in CN,\n                   the shortcomings identified during our review were of major\n                   concern.\n\n\n\n\nPage 2                                              Observations and Conclusions\n\x0cDetails of Findings\n\nPROPERTY              We found that CN could not locate 20 desktop computers listed on\nNOT LOCATED           its property inventory that either processed or may have\n                      processed classified information.\n\n                      During our initial inventory of 618 computers assigned to CN\n                      Headquarters, CN was unable to locate 241 computers.\n                      Subsequently, CN located all but 20 of these items. CN indicated\n                      that 14 of these 20 computers processed classified information at\n                      the Secret level and the remaining 6 could have processed\n                      classified information. CN concluded it could not find the 20\n                      computers or find appropriate documents that addressed their\n                      ultimate disposition.\n\n                      A \xe2\x80\x9cRetirement Work Order\xe2\x80\x9d (RWO) was used to remove lost,\n                      stolen, or damaged items from an office\xe2\x80\x99s inventory. Following\n                      inquiries by the OIG, CN submitted RWOs for these 20 computers\n                      to the DOE Office of Management, which maintains the database\n                      of CN sensitive property at Headquarters. The RWOs for all 20\n                      items indicated that CN believed that these items were excessed at\n                      some point in time. For example, there was evidence that at least 2\n                      items were possibly excessed in 2002, although CN did not have\n                      confirmatory documentation regarding the disposition of these or\n                      any of the 20 computers.\n\n                      We also noted an anomaly with the RWOs. CN listed one computer\n                      on a January 11, 2007, RWO as being excessed at a CN field\n                      location, despite the fact that the OIG located the computer in\n                      question at CN Headquarters in late December 2006. Once notified\n                      that the OIG had previously located this computer, CN conducted a\n                      search for the unit and located it in late January 2007. On\n                      January 30, 2007, CN informed the Office of Management it had\n                      \xe2\x80\x9cerroneously\xe2\x80\x9d listed this computer on the recent RWO document.\n                      We learned that the computer was placed back into CN\xe2\x80\x99s inventory.\n\n                      DOE Manual 470.4-1, \xe2\x80\x9cSafeguards and Security Program Planning\n                      and Management,\xe2\x80\x9d specifies that any suspected or confirmed loss\n                      of classified matter by any \xe2\x80\x9cmedium, method, or action\xe2\x80\x9d be\n                      reported as a security incident. Additionally, the DOE\n                      Headquarters Personal Property and Supply Management\n                      Operating Procedures states that a program office\xe2\x80\x99s Accountable\n                      Property Representative must report all stolen, lost or damaged\n                      property to the Office of Security Operations.\n\n                      Not until after our inquiries did CN report 11 of these items to the\n                      DOE Office of Security Operations. Further, CN took the position\n\n\n\nPage 3                                                               Details of Findings\n\x0c                   that the remaining nine computers did not need to be similarly\n                   reported because CN believed they were excessed by the field sites\n                   to which the computers had been loaned. An Office of Security\n                   official advised us that the circumstances represented by these nine\n                   items is a \xe2\x80\x9cgray area\xe2\x80\x9d in the reporting requirements and that it is at\n                   the discretion of the program office whether to report the items.\n\n                   We noted that one of the computers reported to the Office of\n                   Security Operations as missing was the one that the OIG located in\n                   December 2006. As indicated above, this item was listed on an\n                   RWO and then later returned to the CN inventory. We also noted\n                   that although labeled as an unclassified computer when located by\n                   the OIG in December 2006, CN informed the Office of Security\n                   Operations that it had processed information at the Secret level.\n\n                   We believe that because of the potential security implications and\n                   the fact that CN does not have definitive information as to the\n                   disposition of these items, it should report the circumstances\n                   regarding the remaining nine computers to the Office of Security\n                   Operations to determine whether an actual loss or theft had taken\n                   place.\n\nPROPERTY           We found that 57 computers were not included on CN\xe2\x80\x99s property\nNOT IN INVENTORY   inventory, as required by DOE\xe2\x80\x99s Property Management Standards.\n                   DOE Property Management Standards, found in 41 Code of\n                   Federal Regulations Part 109, specifies that all sensitive property,\n                   including computer property, be controlled and inventoried\n                   annually.\n\n                   During our initial inventory of CN computers, we physically\n                   identified 45 that were not in CN\xe2\x80\x99s inventory. We determined that\n                   14 of these 45 computers were from the Pacific Northwest\n                   National Laboratory (PNNL) and were sent to CN Headquarters at\n                   various times during the past four years. During our attempts to\n                   determine why the PNNL computers were not in CN\xe2\x80\x99s inventory,\n                   we also learned that there were 12 additional PNNL computers that\n                   had been sent to CN Headquarters without having been entered\n                   into CN\xe2\x80\x99s inventory. We determined that these computers had\n                   been transferred to another DOE program office during the past\n                   two years without proper transfer or accountability documentation.\n                   Additionally, we found paperwork that indicated another PNNL\n                   computer may have been sent to CN Headquarters. CN informed\n                   us that it had no evidence that the computer was ever received or\n                   utilized by CN Headquarters. We were unable to resolve this\n                   inconsistency.\n\n\n\n\nPage 4                                                             Details of Findings\n\x0cEXPIRED LOAN       We found that CN had expired loan agreements for 96\nDOCUMENTATION      Headquarters computers that were located at CN field sites. We\n                   determined that 96 of the 241 items that we were unable to locate\n                   during our initial inventory were on loan to CN field sites. A loan\n                   agreement, which is to be generated by the organization\n                   transferring an item to another organization for a maximum of one\n                   year, had been prepared for the 96 computers as required.\n                   However, the loan agreements had expired in June and July 2006.\n                   Following inquiries from the OIG, CN generated new loan\n                   agreements for all but ten of these items. Regarding the remaining\n                   ten computers, CN disposed of eight of the computers and it\n                   advised us that new loan agreements are currently being prepared\n                   for the last two.\n\nCOMPUTERS NOT      We found that labels indicating the classification level of\nPROPERLY LABELED   individual computers were not affixed to 74 CN computers, as\n                   required. Because CN maintains unclassified and classified\n                   computers in its offices, CN\xe2\x80\x99s Master Security Plan requires that\n                   all hardware be properly labeled as processing Unclassified,\n                   Confidential, or Secret information, as appropriate. Although not\n                   mentioned in the CN Master Security Plan, CN said that Top\n                   Secret computers also need to have labels.\n\nRECOMMENDATIONS    Considering the sensitivity of the data regularly processed in CN\n                   and the shortcomings identified above, we recommend that the\n                   Director, Office of Intelligence and Counterintelligence ensure\n                   that:\n\n                   1. Internal controls over Counterintelligence Directorate\n                      computer property are strengthened so that it is accounted for\n                      in a timely manner;\n\n                   2. All items previously reported to the Office of Management on\n                      Retirement Work Orders are appropriately reported to the\n                      Office of Security Operations; and\n\n                   3. All computer equipment assigned to the Counterintelligence\n                      Directorate is appropriately marked as processing Unclassified,\n                      Confidential, Secret, or Top Secret information.\n\n\n\n\nPage 5                                                           Recommendations\n\x0cMANAGEMENT   In comments on our draft report, management agreed with the\nCOMMENTS     recommendations. Management\xe2\x80\x99s comments are included in their\n             entirety at Appendix C.\n\nINSPECTOR    We found management\xe2\x80\x99s comments to be responsive to our\nCOMMENTS     recommendations. However, because the comments did\n             not provide an implementation plan with target dates for\n             each recommendation, a management decision is required.\n\n\n\n\nPage 6                             Management and Inspector Comments\n\x0cAppendix A\n\nSCOPE AND     This review included interviews with Federal and contractor\nMETHODOLOGY   officials with the DOE Office of Intelligence and\n              Counterintelligence and the DOE Office of Management. We\n              reviewed applicable policies and procedures pertaining to the\n              management of computer property. We obtained CN\xe2\x80\x99s inventory\n              listing from the Office of Management, which conducted an\n              inventory of all CN property in 2006. We used this inventory\n              listing as a baseline to conduct our inventory and evaluate CN\xe2\x80\x99s\n              internal controls over computer property. We conducted a physical\n              inventory of all CN computer property at Headquarters locations in\n              Washington, DC, and Germantown, MD.\n\n              Also, pursuant to the \xe2\x80\x9cGovernment Performance and Results Act\n              of 1993,\xe2\x80\x9d we examined performance measurement processes as\n              they related to computer property.\n\n              This inspection was conducted in accordance with \xe2\x80\x9cQuality\n              Standards for Inspections\xe2\x80\x9d issued by the President\xe2\x80\x99s Council on\n              Integrity and Efficiency.\n\n\n\n\nPage 7                                               Scope and Methodology\n\x0cAppendix B\n\n                              Prior Sensitive Property Reports\n\n  \xe2\x80\xa2   \xe2\x80\x9cExcessing of Computers Used for Unclassified Controlled Information at the Idaho\n      National Laboratory,\xe2\x80\x9d DOE/IG-0757, February 2007;\n\n  \xe2\x80\xa2   \xe2\x80\x9cDestruction of Classified Hard Drives at Sandia National Laboratory-New Mexico,\xe2\x80\x9d\n      DOE/IG-0735, August 2006;\n\n  \xe2\x80\xa2   \xe2\x80\x9cInternal Controls for Excessing and Surplusing Unclassified Computers at Los Alamos\n      National Laboratory,\xe2\x80\x9d DOE/IG-0734, July 2006;\n\n  \xe2\x80\xa2   \xe2\x80\x9cInternal Controls Over Sensitive Property in the Office of Intelligence,\xe2\x80\x9d DOE/IG-0722,\n      March 2006;\n\n  \xe2\x80\xa2   \xe2\x80\x9cControl and Accountability of Emergency Communication Network Equipment,\xe2\x80\x9d\n      DOE/IG-0663, September 2004;\n\n  \xe2\x80\xa2   \xe2\x80\x9cInternal Controls Over the Accountability of Computers at Sandia National Laboratory,\n      New Mexico,\xe2\x80\x9d DOE/IG-0660, August 2004;\n\n  \xe2\x80\xa2   \xe2\x80\x9cInternal Controls Over Personal Computers at the Los Alamos National Laboratory,\xe2\x80\x9d\n      DOE/IG-0656, August 2004;\n\n  \xe2\x80\xa2   \xe2\x80\x9cInternal Controls Over Classified Computers and Classified Removable Media at the\n      Lawrence Livermore National Laboratory,\xe2\x80\x9d DOE/IG-0628, December 2003;\n\n  \xe2\x80\xa2   \xe2\x80\x9cInternal Controls Over Laptop and Desktop Computers at the Savannah River Site,\xe2\x80\x9d\n      INS-L-03-09, July 2003;\n\n  \xe2\x80\xa2   \xe2\x80\x9cManagement of Sensitive Equipment at Selected Locations,\xe2\x80\x9d DOE/IG-0606, June 2003;\n\n  \xe2\x80\xa2   \xe2\x80\x9cInspection of Internal Controls Over Personal Computers at Los Alamos National\n      Laboratory,\xe2\x80\x9d DOE/IG-0597, April 2003; and\n\n  \xe2\x80\xa2   \xe2\x80\x9cOperations at Los Alamos National Laboratory,\xe2\x80\x9d DOE/IG-0584, January 2003.\n\n\n\n\nPage 8                                                    Prior Sensitive Property Reports\n\x0cAppendix C\n\n\n\n\nPage 9       Management Comments\n\x0cAppendix C\n\n\n\n\nPage 10      Management Comments\n\x0c                                                                    IG Report No. DOE/IG-0762\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\xe2\x80\x99 requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\xe2\x80\x99s overall\n   message clearer to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we have\n   any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Judy Garland Smith at (202) 586-7828.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\nand cost effective as possible. Therefore, this report will be available electronically through the\n                                Internet at the following address:\n\n               U.S. Department of Energy Office of Inspector General Home Page\n\n                                     http://www.ig.energy.gov\n\n   Your comments would be appreciated and can be provided on the Customer Response Form\n                                  attached to the report.\n\x0c'